Edinburgh Orthopaedic Research Database Privacy Policy

This statement confirms Edinburgh Orthopaedic Research Database's commitment to protect your privacy and to process your personal information in a manner which meets the requirements of the General Data Protection Regulation 2018 (GDPR) which came into force on May 25th 2018.

Privacy Policy

This statement confirms Edinburgh Orthopaedic Research Database's commitment to protect your privacy and to process your personal information in a manner which meets the requirements of the General Data Protection Regulation 2018 (GDPR) which came into force on May 25th 2018.

This policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us and is designed to cover a variety of processes and scenarios that the company undertakes.

Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.

The rules on processing of personal data are set out in the GDPR.

 

Definitions:

Data controller – A controller determines the purposes and means of processing personal data.

Data processor – A processor is responsible for processing personal data on behalf of a controller.

Data subject – Natural person

 

Categories of data:

Personal data and special categories of personal data

Personal data – The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier (as explained in Article 6 of GDPR). For example name, NHS number, home address or private email address. Online identifiers include IP addresses and cookies.

Special categories personal data – The GDPR refers to sensitive personal data as ‘special categories of personal data’ (as explained in Article 9 of GDPR). The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Other examples include racial and ethnic origin, sexual orientation, health data, trade union membership, political opinions, religious or philosophical beliefs.

Processing – means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Third party – means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

 

1. Who are we?

The Edinburgh Orthopaedic Research Dtabase is based within NHS Lothian and the University of Edinburgh. We can act as either a data controller and / or processor. This is because we hold data for a variety of reasons for patients and service users. When acting as a data controller this means we decide how your personal data is processed and for what purposes.

If you wish to contact us please use any of the methods below:

Our aim is to get back to you within 24 hours of your message.

Address: Edinburgh Orthopaedic Research Database, Department of Orthopaedic Surgery, Royal Infirmary of Edinburgh, Little France, Edinburgh, EH16 4SA, United Kingdom

Telephone: 0131 242 6462

Email: infoEORDBase@ed.ac.uk

 

EORDBase has undergone the following review in relation to Data Security and Risk Management:

Research Governance Compliance Audit

  • Our most recent assessment was reviewed as satisfactory on February 1st  2019. 

 

2. The purpose(s) of processing your personal data

EORDBase processes the personal data of patients selected for inclusion in any of our survey programmes and other individuals with whom it has a relationship, known as data subjects. Privacy notices will explain the purposes for this, among other things, usually at the point of collection.

We do not routinely collect personal information. However, due to the nature of work that we undertake we do collect and store such data within the requirements of each project.

This may include, but is not limited to:

  • Name, address and contact information such as email addresses and phone numbers
  • Information on health state and care received
  • Age, gender, occupational and other personal information

EORDBase will use this information for the following reasons:

  • Send information to you to enable you to take part in a specific survey or research project
  • Improve the services and care provided
  • We may monitor or record any communication between you and EORDBase for quality control and training purposes and as part of the survey administration process.

It is important to note that this data and derived information is not routinely shared with any third-parties or partners unless clearly stated in the specific documentation, consent statements and privacy notices.

 

3. The categories of personal data concerned

With reference to the categories of personal data described in the definitions section, we process the following categories of your data:

  • Personal data
  • Special Categories of Personal Data

 

4. What is our legal basis for processing your personal data?

  • Consent of the data subject
  • Processing necessary for the performance of an interaction with the data subject or to take steps to enter into an interaction
  • Processing necessary for compliance with a legal obligation
  • More information on lawful processing can be found on the ICO website.

 

5. Sharing your personal data

Your personal data will be treated as strictly confidential, and will be shared only with organisations clearly stated in the specific Privacy Notice.

 

6. How long do we keep your personal data?

We keep your personal data for no longer than reasonably necessary. In the case of survey respondents our default approach is 12 months after all processing activities have been completed. Again, this can vary by project but in such cases the retention period is clearly stated in the relevant documentation and privacy notice.

 

7. Your rights and your personal data

Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data:

  • The right to request a copy of the personal data which we hold about you
  • The right to request that we correct any personal data if it is found to be inaccurate or out of date
  • The right to request your personal data is erased where it is no longer necessary to retain such data
  • The right to withdraw your consent to the processing at any time, where consent was your lawful basis for processing the data
  • The right to request that we provide you with your personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable i.e. where the processing is based on consent or is necessary for the performance of a contract with the data subject and where the data controller processes the data by automated means)
  • The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing
  • The right to object to the processing of personal data, (where applicable i.e. where processing is based on legitimate interests (or the performance of a task in the public interest/exercise of official authority); direct marketing and processing for the purposes of scientific/historical research and statistics)

 

8. Transfer of Data Abroad

We do not transfer personal data outside the EEA.

 

9. Automated Decision Making

We do not use any form of automated decision making.

 

10. Further processing

If we wish to use your personal data for a new purpose, not covered by this Data Privacy Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions.

 

11. Cookies

Cookies are text files, which identify a user's computer to our server. Cookies in themselves do not identify the individual user, just the computer used.

The University of Edinburgh website has a number of features that may require the use of cookies. The University of Edinburgh only uses this information to ensure users’ preferences for viewing the website are maintained.

Users may, of course, choose not to accept cookies from the University of Edinburgh website. Further information about cookies can be found at: www.aboutcookies.org

 

12. Links to other websites

There are hyperlinks within this website which will take you away from this EORDBase Privacy Policy. The linked sites are not under the control of EORDBase and therefore we are not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. EORDBase is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by EORDBase of the site.

 

13. Changes to our privacy policy

Any changes we may make to our privacy policy in the future will be posted on this page and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes to our privacy policy.